January 7, 2026

Authentication Failure: VCF SSO Broken

vCenter vIDB Service Unavailable

The Issue?

It is extremely important that you maintain password validity in your environment, as well as other critical infrastructure components such as certificates. If you do not, you may fall into the same trap as I did here. It is also worthwhile noting, for those of you running internal / embedded vidb, that you eventually move to an external one for dedicated authentication.

Note: The services may not necessarily be down / in a crashed state.

You can verify the service status on vCenter either using VAMI (https://vCenterFQDN:5480) or CLI using something like putty and the relevant commands. I also ensured all passwords were in sync, reset and operational before following through with the rest of the article, as doing so did not resolve the issues.

curl --location 'https://ops.shank.com/suite-api/api/auth/token/acquire'
--header 'Accept: application/json'
--header 'Content-Type: application/json'
--data '{ "username":"admin", "password":"VMware123!VMware132!"}'

Obtain token from VCF operations to resolve The error messages were "Sorry. we encountered an error. Error message: Failed to delete IDP for xxxx . Changes will be rolled back" and "Unable to reset SSO. Please resolve the issues and try again."

As you can see below, I am now able to reconfigure VCF SSO in VCF Operations.

The error messages were “Sorry. we encountered an error. Error message: Failed to delete IDP for xxxx . Changes will be rolled back” and “Unable to reset SSO. Please resolve the issues and try again.”

Fixing The Issue

For my dual region VCF setup, I previously setup VCF SSO using embedded vIDB which was hosted on the vCenter mentioned above that had expired passwords.

Change to the directory where you uploaded the script and modify permissions as shown below.

As a result, the service crashed on vCenter breaking SSO for both regions and leaving me unable to clean it up from VCF Operations, as can be seen in the screenshot below. This also resulted in authentication failures across both environments.

If you are using Postman, you can import the below code block changing it to suit your environment.

use winscp to upload cleanup script to vcf operations to fix VCF sso auth sources clean postgres database

After an extended period of time (holiday season), my lab was left unattended. Warnings of password expirations and certificates were missed, which resulted in the vCenter root password amongst others expiring.

update cleanup_auth_sources.sh permissions to make it executable. "Sorry. we encountered an error. Error message: Failed to delete IDP for xxxx . Changes will be rolled back" and "Unable to reset SSO. Please resolve the issues and try again."
execute clean up script to remove postgres database entry for old VCF sso vidbresourceId and fix VCF sso issue "Sorry. we encountered an error. Error message: Failed to delete IDP for xxxx . Changes will be rolled back" and "Unable to reset SSO. Please resolve the issues and try again."

curl --insecure --location --request DELETE 'https://ops.shank.com/suite-api/internal/vidb/identityproviders?vidbResourceId=########-####-####-####-############&purgeSSOConfig=true'
--header 'Accept: application/json'
--header 'Content-Type: application/json'
--header 'Authorization: vRealizeOpsToken {{token}}'
--header 'X-vRealizeOps-API-use-unsupported: true'

204 response to deleting vidbresourceId. Removing stale VCF SSO

curl -k --location 'https://ops.shank.com/suite-api/internal/vidb/identityproviders'
--header 'Accept: application/json'
--header 'Content-Type: application/json'
--header 'Authorization: vRealizeOpsToken {{token}}'
--header 'X-vRealizeOps-API-use-unsupported: true'

Use VCF operations token to trigger API call to obtain vidbresourceID

The first thing we will need to do is obtain a token from VCF Operations so we can issue the subsequent API calls.

Similar Posts